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SECURITY ACCESS AND AUTHENTICATION TOKEN 
WITH PRIVATE KEY TRANSPORT FUNCTIONALITY 



This application claims priority to prior filed 
10 co-pending United States provisional application, No, 
60/119,531, filed February 10, 1999, attorney docket 
no. GORD1-06359US1 SRM, entitled "SECURITY ACCESS AND 
AUTHENTICATION TOKEN WITH PRIVATE KEY TRANSPORT 
FUNCTIONALITY, 11 



COPYRIGHT NOTICE 
A portion of the disclosure of this patent 
20 document contains material which is subject to 
copyright protection. The copyright owner has no 
objection to the facsimile reproduction by anyone of 
the patent document or the patent disclosure, as it 
appears in the Patent and Trademark Office patent file 
25 or records, but otherwise reserves all copyright rights 
whatsoever. 



BACKGROUND OF THE INVENTION 
30 Field of Invention 

This invention relates to security systems. The 
invention is more particularly related to the secure 
transfer of data, passwords, keys, and other private 
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dace, for secure transfer, user validation, 
authorization, etc. The invention is directed cowards 
security systems that can be used in combination with 
computers . 

5 

Discussion of Background 

The background of the invention deals with 
security tokens and the like which are used for secure 
operations with respect to for example, a host 

10 computer. A number of patents presently describe the 
state of the art concerning such security systems . 3y 
way of example only, attention is drawn to the three 
Cargiie patents and the prior art cited therein, ail of 
which is incorporated herein by reference. The three 

15 Cargiie patents include SOLID STATE KEY FOR CONTROLLING 
ACCESS TO COMPUTER SOFTWARE, U.S. Patent No. 4,599,489, 
SOLID STATE KEY FOR CONTROLLING ACCESS TO COMPUTER 
SOFTWARE, U.S. Patent No. 4,609,777, and SOLID STATE 
KEY FOR CONTROLLING ACCESS TO COMPUTER SYSTEMS AND TO 

20 COMPUTER SOFTWARE AND/OR FOR SECURE COMMUNICATIONS, 
U.S. Patent No. 4,819,267. 

SUMMARY OF THE INVENTION 
Roughly described, the private key transport (PKT) 

25 feature allows an embodiment of the token of the 
invention to store an application's private encryption 
key and to securely "transport " the key when needed. 
The private encryption key is sent to an application 
without the encryption, key being exposed to the user of 

30 the token nor is it exposed in transit to the 
application. Once received by a host, the private 
encryption key can be used to lock or unlock, encrypt 
or decrypt other keys and other data. 
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Environments exists where this feature greatly 
reduce ri3ks associated with deploying private key 
based applications. The weakness in existing systems 
is the reliance on a user to enter his passwords to 
•5 unlock or decrypt his asymmetric private keys (i.e. RSA 
private keys) that are resident on ■ his hard disks or 
floppy disks. The passwords are effectively the 
encryption keys that encrypt the private key when it is 
created and stored on the hard drive. The passwords 

10 also then decrypt, or unlock, the private key when 
loaded into memory for use in private key functions 
such as client authentication or signing of 
documents /transact ions . 

The weakness of static password is actually worse 

15 than one might first imagine. Traditional systems that 
rely on weak static passwords also have the ability to 
manage their problem by implementing password controls. 
Web based private key implementations do not have the 
ability to manage the weakness. There is no way to 

20 force web users to change passwords, pick good ones, or 
help them if they have forgotten them. The browsers 
rely on users to select and manage the encryption keys 
(i.e. passwords) that encrypted the private keys. 
Therefore, from a security perspective despite all the 

25 advantages that private key offers, current 
implementations actually are a step backward. 

BRIEF DESCRIPTION OF THE DRAWINGS 
A more complete appreciation of the invention and 
30 many of the attendant advantages thereof will be 
readily obtained as the same becomes better understood 
by reference to the following detailed description when 
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considered in connection with the accompanying 
drawings , wherein : 

Fig. 1 is a block diagram showing information flow 
and processes of the present invention; 
5 Fig. 2 is a diagram of a token and host processes, 

interactions, and information flow according co one 
embodiment of the present invention; and 

Fig. 3 is a flow chart describing processes 
performed of an embodiment of a token having combined 
10 C/R, R/O methods. 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 
The token of the invention is preferably a Data 
Encryption Standard (DES) based token device. The most 
powerful feature of the token is that it can support up 
to seven different input modes (see Table 1) that 
support both One Time Password (OTP) paradigms - 
Challenge/Response and Response/Only. In addition, the 
token can securely transmit private keys to 
applications . 

Ofle Time ?a55wprd Generation 

In order to generate a OTP all tokens must have a 
secret seed value stored within the token. They must 
also have additional information that is variable. This 
additional information is what is inputted to the token 
when the token is used to generate a OTP. The variable 
input can be internally and/or externally generated. 
The table below identifies the seven different OTP 
modes of operation for the token. The table also 
identifies the source of the variable input given to 
the token for generation of the response or OTP. The 
challenge variable could be a value that the token 
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receives that is used to calculate the cue- time 
password. The time variable could be, for example, the 
time che coken was used. The event variable could be, 
for example, the number of time than the token was 
used. Further details about OTP generation can be 
obtained in the above incorporated by reference Cargile 
patents . 



Table 1 



input 
Modes to Token 


OTP Paradigm 


Source of Token 
Input Variable 


Cftallenqe 


Challenge/Response (C/R) 


External 


Challenge + Event 


Challenge/Response (C/R) 


External & internal 


Challenge + Time 


Challenge/Response (C/R) 


External & Internal 


Challenge + Event * Time 


Challenge/Response (C/R) 


External & Internal 


Event 


Resoonse Only (RJO) 


Internal 


Event + Time 


Resoonse Only (RJO) 


Internal 


Time 


Response Only (R/O) 


Internal 



20 All of the above modes (Table 1) use DES as a 

cryptographic engine for calculating the response. 
Each of the modes are capable of being programmed to be 
compatible with various standards such as ANSI X9.9,' 
Triple -DES , or other popular tokens. 

25 All R/O modes simply require the user to turn the 

unit on and, if required, to enter their personal PIN 
to unlock the unit. When a PIN is required the token 
will prompt the user for a PIN. Ail C/R modes utilize 
an advanced optical protocol enabling the user to 

30 simply hold the device in front of their monitor to 
read the graphical challenge presented to them. The 
token has a high quality keypad for manual entry of the 
challenge, if the monitor is not capable of a graphical 
interface or the user is authenticating over a phone. 

35 

Pyivace/Peysonal Key Transport 
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One of che mors important capabilities of the 
token is the Private Key Transport (PSCTJ feature 
(referred by cryptographic experts as "associative 
reading") . The PKT feature enables installations, or 
5 users, to assign a private key to a token for use by 
encryption applications. Use of the token by an 
encryption application never discloses the private key 
to anyone, including the user, except for the 
encryption application itself. 

10 This is especially useful for applications that do 

not wish to be burdened with storing user's private 
keys. In addition, some installations do not even want 
users to know what their private keys are for 
encryption applications. Users mismanage their private 

15 secrets all the time and the result is the keys have to 
be changed periodically. If a user or installation 
assigns a private key to a user's token, the token can 
communicate the private key to an encryption 
application without having to disclose the private key 

20 during the communication (i.e. display or through a 
network) . Hence the need to change keys are 
dramatically reduced. 

It is important to note that this capability 
applies to both DES and RSA (symmetric and asymmetric) 

25 encryption algorithms. 

In order to understand the significance of this 
feature a brief overview on how this works is needed. 

Figs. 1 and 2 depict a token working with a host 
system running an application that has a need to use a 

30 user's private key for encryption services. The token 
is capable of generating a OTP as described above. 
Fig. 1 depicts the OTP feature in continuation with the 
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PKT feature, while Fig. 2 depicts the OTP feature in a 
3 ingle block in order no highlight the PKT feature. 

The mode used (i.e. one of the seven modes of 
operation) to generate the OTP or Token Response is 
S immaterial - all of the modes can be used. 

When an application requests that a user supply 
their private key for accessing encryption services , 
the user operates the token in the 3ame manner as used 
when authenticating (as described in the three Cargile 
10 patents incorporated herein by reference) . Depending 
upon the OTP mode of operation the user may need to 
input a challenge into the token. The token will 
generate a token response such as for example an OTP 
according to the mode of operation, but will perform an 
15 additional operation before displaying a response on 
the token screen. The operation is illustrated above as 
an "XOR" . The OTP 50 and the user's private key 40 
are combined together (XORed) and the result is the 
Private Key Transport or PKT value 70. It is the PKT 
20 70 that is displayed on the token display for the user 
to communicate to the host system running the 
encryption application. Because the internal OTP 50 is 
always different, the .resulting PKT 70 will also always 
be different. 

25 It should be noted that it is impossible to deduce 

the user's private key 40 with only the PKT value 70, 
hence the user's private key 40 is not in danger of 
being disclosed if the PKT 70 is disclosed. 

The Host sys.tem 101 is capable of also generating 

30 the OTP 51. This i3 what enables the Host system 101 
to validate that a particular user is who they say they 
are when needing to authenticate users. In the PKT 
case however, the host is attempting to provide the 
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encryption application with the user's private key 40 
and therefore uses the same "XOR" operation 61 to 
extract the private key 40 from the PKT 70 . Once the 
"XOR" operation is completed, the encryption 
5 application can then use the private key for encryption 
services . Note that even though the PKT is always 
different, the private key extracted from each PKT 
generated is always the 3ame, a requirement: for 
symmetric encryption algorithms. 
10 Once the encryption services have been completed 

the application simply erases the private key from 
memory, thereby protecting the private key from further 
disclosure. 

An important point to note is that when using the 

15 token for generating PKTs, the secret OTP seed value 
does not have to be kept secret. The value can be 
openly distributed to amy host system. This is not the 
case when using the token tt> authenticate user's via 
the token's OTP. Host systems can generate as many 

20 possible OTP's as they want, but until a physical token 
uses an OTP to generate a PKT, a private key cannot be 
generated. It should also be noted that the token can 
be optically programmed in the field. This feature 
enables the token private keys to be altered if 

25 desired. 

Fig. 1 illustrates a clock 20 and seed value 30 
input to the OTP generator 10. The clock 20 may be a 
timepiece synchronized (within any predetermined 
interval) with a clock 21 at a host device. 

30 Alternatively, the clock may take the form of any type 
of counting mechanism to provide a changing number for 
each or any set of OTP generations performed. 
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The problem that ?KT feature solves is this - How 
can I communicate my static private key to an 
encryption application without using a static value 
that is susceptible to being trapped? The above 
5 discussion explains how the inventive token provides 
the solution for this problem. 



XQR Operation 



Token 


Token 


Private Key 


Host 


Host Private 


Private Key 


Response 


Transport 


Response 


Key 


1 


1 


0 


1 


1 


1 


0 


1 


0 


1 


0 


1 


1 


1 


0 


0 


0 


0 


0 


0 



15 

Exclusive OR operation (XOR) does the following. 
When two values are compared, if they are the same the 
result is a 0. If they are different the result is 1. 
Since we are dealing at the lowest level possible for 
20 computers the only two values possible are 0 and 1. 
The following table describes all possible combinations 
of and exclusive or operation: 

1 + 0 = 1 

1 + 1 3 o 

25 0+0=0 

Therefore in the above example, I have selected a 
token private key of ■ 1100 1 and a token response value 
of T 1010 r . If I apply an exclusive or operation on 
these two values I get the following result - 1 0110 ' , 

30 which is my Private Key Transport value. This is what 
happens : 

1 + 1 = 0 
1 + 0 = 1 
0 + 1 = 1 

35 0 + 0 = 0 
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This value by itself calls me nothing about the 
Token Private Key. '0110' in no way tells me that the 
real key is ' 1100 ' . 
5 But: due to the properties of the exclusive or 

operation,, if I did this operation using the ?KT and 
one of the original two inputs (Token Private Key and 
a Token Response such as an OTP) then what will be 
revealed is che value of the input field not used- In 
10 our case the only value that the host knows about is 
the Token Response (OTP) value. Therefore, the host 
takes the PKT value '0110' and exclusively OR's it with 
the host generated token response value of ■ 1010 1 . 
This is what happens: 

0 + 1 = 1 

1 + 0=1 
1 + 1 = 0 
0 + 0=0 

The result of the operation is '1100' which is 
equal to the Token Private Key. 

Pig. 3 illustrates a process flow of a token 
embodiment that responds to any of C/R and R/O 
paradigms. At step 300, the token unit is powered up. 
A user inputs a password or other logon information to 
unlock the token (step 310) . Steps 320 and 330 
illustrate decision making when the token is 
interrogated by a system and the token determines if 
C/R 325 or R/O 335. processing is required. The 
corresponding processes are performed and the token 
enters a wait state 340 for further action. Upon 
completion of token use, the user powers down the unit 
(step 350) . 
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The token includes a computing mechanism that may 
be initiated by a user. The following is an example of 
a process implemented by an initiacion application 
resident on a token according to one embodiment of the 
5 present invention and performed by the computing 
mechanism. Each individual step has an associated part 
of the application that implements the individual step. 







Digipass Token 


DP700 


PIN code is 12541 


Digipass Application 


Challenge/Response 


First application under the T - 
button 


Activation Code 


YMK3 1SUK ID5A 





Phase 1; First -Time Activation : 

(a) A token application prompts the user to type 
the Activation Code of the selected Test Token: enter 
the 12 -character code (see table above) . 

(b) The application prompts a first Challenge: 
enter it in the CP/700 and copy the Token response as 
First Dynamic Key in the application. 

(c) The application prompts a second Challenge: 
enter it in the DP700 and copy the Token response as 
Second Dynamic Key in the application. 

(d) The two different Dynamic Keys are verified. 

(e) Both Dynamic Keys should produce the same 
internal secrets (referenced as SecretK2, or private 
key. 

(f) If no error occurred, the application will 
flag successful PKA Activation and create context file 
userflle.txt. In this file the Activation Code is 
stored together with the Hash Code that is derived from 
the SecretK2. 
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Phase 2: Normal Use: 

(a) The application prompts a Challenge: enter 
it in the DP700 and copy the Token response as Dynamic 
Key in the application. 
5 (b) The Dynamic Keys is verified: if it produces 

an internal secret (referenced as SecretK2 } that yields 
a Hash Code different from the stored Hash Code in 
context file userfils.txt, an error is generated. 

(c) If no error occurred, the application will 
10 flag successful ?KA Activation. 

Reserrjna to Phase 1: First -Time Activation: 

(a) The program may be reset to its initial state 
of operation by removing the context file called 

IS userrile.txt. 

(b) The application provides a button 'Clear 
Context File' to this end. Pressing it once will 
delece the file. 

(c) The next time the 'Start' button is pressed, 
the First- time Activation phase will proceed. 

Accordingly, the present invention provides for an 
inventive private Jcey transport feature, and having 
industrial applicability in a wide range of business, 
security, and other technical fields for secure 
transmission of data, encryption codes, passwords, 
keys, etc. Other features, aspects and objects of the 
invention can be obtained from a review of the figures. 

The present invention may be conveniently 
implemented using a conventional general purpose or a 
specialized digital computer or microprocessor 
programmed according to the teachings of the present 
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disclosure, as will be apparent Co those skilled in the 
computer art . 

Appropriate software coding can readily be 
prepared by skilled programmers based on che teachings 
5 of the present disclosure, as will be apparent to those 
skilled in the software art. The invention may also be 
implemented by the preparation of application specific 
integrated circuits or by interconnecting an 
appropriate network of conventional component circuits, 
10 as will be readily apparent to those skilled in the 
art. 

The present invention includes a computer program 
product which is a storage medium (media) having 
instructions stored thereon/in which can be used to 

15 control, or cause, a computer to perform any of the 
processes of the present invention. The storage medium 
can include, but is not limited to, any type of disk 
including floppy disks, optical discs, DVD, CD-ROMs, 
microdrive, and magneto -optical disks, ROMs, RAMs, 

20 EPROMs, EEPROMs, DRAMs, VRAMs , flash memory devices, 
magnetic or optical cards, nanosystems (including 
molecular memory ICs) , RAID devices, remote data 
storage/archive/ warehousing, or any type of media or 
device suitable for storing instructions and/or data. 

25 Stored on any one of the computer readable medium 

(media) , the present invention includes software for 
controlling both the hardware of the general 
purpose/specialized computer or microprocessor, and for 
enabling the computer or microprocessor to interact 

30 with a human user or other mechanism utilizing the 
results of the present invention. Such software may 
include, but is not limited to, device drivers, 
operating systems, and user applications. Ultimately, 
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such computer readable media further includes software 
for performing the present invention, as described 
above. 

Included in the programming (software) of the 
5 general/specialized computer or microprocessor are 
software modules for implementing the teachings of che 
present invention, including, but not limited to, 
performing XOR operations, OTP generation, and the 
display, storage, or communication of results according 
10 to the processes of the present invention. 

Obviously, numerous modifications and variations 
of the present invention are possible in light of the 
above teachings. It is therefore to be understood that 
within the scope of the appended claims, the invention 
15 may be practiced otherwise than as specifically 
described herein. 
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WHAT IS CLAIMED AND DESIRED TO 3E SECURED BY LETTERS 
PATENT OF THE UNITED STATES IS : 

1 i. A token for generating a private key 

2 transport value, comprising: 

3 a one- time password (OTP) generator configured to 

4 produce a password each time the OTP generator is 

5 invoked; 

6 a private key (?K) storage device configured to 

7 maintain storage of a private key; 

8 a combinatorial device configured to combine 3aid 

9 private key stored in said ?K storage device with a 

10 password produced by said OTP generator to produce a 

11 private key transport (PKT) value; and 

12 a transport mechanism configured to at least one 

13 of display and communicate said PKT value. 

1 2. The token according to Claim 1, wherein said 

2 OTP generator comprises: 

3 a clock device configured to produce a clock 

4 value ; 

5 a seed storage mechanism configured to store a 

6 seed value; and 

7 a second combinatorial device configured to 

8 combine said seed value and a clock value produced by 

9 said clock device to produce an OTP . 



1 
2 
3 



3 . The token according to Claim 2 , wherein said 
clock device varies said clock value at a predetermined 
time interval. 



WO 00/48064 



PCT/US00/03477 



- 16 - 

1 4. The cokes, according no Claim 1, wherein said 

2 OT? generator produces a different password each time 

3 che OTP generator is invoked. 

1 5. The token according to Claim I, wherein said 

2 PK storage device comprises a non -volatile memory chat 

3 stores said private key. 

1 5. The token according to Claim 1, wherein said 

2 combinatorial device is an x-or mechanism. 

1 7. The token according to Claim 1, wherein said 

2 transport mechanism is an optical device that transmits 

3 an optical protocol signal allowing communication of 

4 said PKT from said token to a remote device capable of 

5 receiving said optical protocol signal. 

1 3. The token according to Claim 1, wherein said 

2 transport mechanism is a display device configured to 

3 display said PKT, thereby allowing any one of (1) a 

4 user to read and utilize said PKT, and (2) a receiving 

5 device to scan said PKT. 

1 9. The token according to Claim 1, wherein said 

2 OTP generator is synchronized with a OTP at a host 

3 device that receives said PKT. 

1 10, The token according to Claim 1, further 

2 comprising: 

3 a private key input mechanism configured to 

4 receive a private key from any one of a user and an 

5 Installer of said token; and 
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S a saving mechanism configured to save the received 

7 private key in said privace key storage device. 

1 11. The coken according to Claim 1, further 

2 comprising an input mechanism that receives an input. 

3 condition that invokes said generating a private key 

4 transport value. 

1 12 . The token according to Claim 11 , wherein said 

2 input condition comprises any one of a challenge, 

3 event, time, and any combinations of challenge, event 

4 and time, including (1) event and time, (2) challenge 

5 and event, (3) challenge and time, and (4) challenge 

0 and event and time. 

1 13. The token according to Claim 1, wherein said 

2 generating a private key transport value is performed 

3 based on any one of an event, a time, and a combination 

4 of event and time. 

1 14. The token according to Claim 1, wherein said 

2 OTP generator is synchronized with at least one second 

3 OTP generator at a host device that receives said PKT 

4 value . 

IS. A host device, comprising: 

a one-time password (OTP) generator configured to 
produce a password each time the OTP generator is 
invoked; 

a private key transport ( PKT) reception mechanism 
configured to receive a PKT value having an encrypted 
private key; and 
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8 a combinatorial device configured to combine said 

9 PKT value with a password generated by said OTP 
10 generator to derive the private key. 

1 16. The host: according to Claim 15, wherein said 

2 combinatorial device is an x-or mechanism configured to 

3 x-or 3aid PKT value with said OTP. 

1 17. The host according to Claim 15, wherein said 

2 combinatorial device is a series of x-or gates, a first 

3 inpuc of each gate inputting one binary digit of said 

4 PKT value, and a second input of each gate inputting 

5 one binary digit of said OTP. 

1 18. The host according to Claim 15, wherein said 

2 PKT reception mechanism is an optical receiver 

3 configured to receive an optical protocol signal 

4 containing said PKT value. 

1 19. The host according to Claim 15, wherein said 

2 OTP generator produces a different password each time 

3 the OTP generator is invoked. 

1 20. The host according to Claim 15, wherein said 

2 OTP generator is synchronized with a OTP generator 

3 associated with a token device that produces the 

4 received PKT value. 

1 21. A method of - maintaining and transmitting a 

2 private key, comprising: 

3 producing a one-time password (OTP) ; 

4 retrieving a private key from a storage device; 
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5 combining said OTP and said private key co produce 

0 a private key transport (PKT) value; and 

7 transmitting said ?KT value to a reception 

8 mechanism. 

1 22. The method according to Claim 21, wherein 

2 said step of combining comprises x-oring said OTP and 

3 said private key to produce said private key transport 

4 (PKT) value. 

1 23. The method according to Claim 21, wherein 

2 said step of producing a one time password, comprises: 

3 retrieving a seed value from a storage device; 

4 producing a clock value; and 

5 combining said clock value and said 3eed value to 

6 produce said OTP . 

1 24. The method according to Claim 21, further 

2 comprising the step of: 

3 synchronizing a OTP generator configured to 

4 produce said OTP with a OTP generator used to de- crypt 

5 said PKT value. 

1 25. A method of receiving a private key, 

2 comprising the steps of: 

3 receiving an encrypted private key; 

4 producing a one-time password (OTP) ; and 

5 combining said OTP and the received encrypted 

6 private key to produce the private key. 

1 26. The method according to Claim 25, wherein 

2 said step of combining comprises x-oring said OTP and 

3 said private key to produce said private key. 
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1 27. The method according zo Claim 25, wherein 

2 said seep of producing a one-time password, comprises: 

3 retrieving a seed value from a storage device; 

4 producing a clock value; and 

5 combining said clock value and said 3eed value to 

6 produce said OTP . 

1 23. The method according to Claim 25, further 

2 comprising the step of: 

3 synchronizing a OTP generator configured to 

4 produce said OT? with a OTP generator used to produce 

5 said encrypted private key. 

1 29 . A system for providing secure access and 

2 authorization, comprising: 

3 a token, comprising, 

4 a private key transport (PKT) generation device 

5 configured to generate a PKT value that securely 

6 encrypts a private key, and 

7 a transport mechanism configured to at least one 

8 of (1) display said PKT value, and (2) communicate said 

9 PKT value; and 

10 a host device, comprising, 

11 a PKT reception device configured to accept said 

12 PKT value whether (1) input by a user of said token, or 

13 (2) communicated to said reception device from said 

14 transport mechanism, and 

15 a decryption mechanism configured to decrypt said 
IS PKT value to derive said private key; and 

17 an authorization mechanism configured to authorize 

18 any one of execution of a software program, user 

19 validation (authentication) , and access to a file, 
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20 account:, or other device based on the derived private 

21 key. 

1 30. The 3ystem according to Claim 29, wherein: 

2 said PKT generation device comprises a first 

3 one-time password (OTP) generator and a forward 

4 algorithm that combines a first OTP generated by said 

5 first OTP generator with said private key to produce 

6 said PKT value; and 

7 said decryption mechanism comprises a second OTP 

8 generator and a reverse algorithm that combines a 

9 second OTP generated by said second OTP generator with 

10 said PKT value to derive said private key. 

1 31. The system according to Claim 30, wherein 

2 said forward algorithm is an x-or operation between 

3 said first OTP and said private key. 

1 32. The system according to Claim 30, wherein 

2 said reverse algorithm comprises an x-or operation 

3 between said second OTP and said PKT value. 

1 33. The system according to Claim 30, wherein : 

2 said PKT generation device includes, 

3 a seed value stored in non-volatile memory, 

4 a clock, and 

5 a combinatorial mechanism configured to combine 

6 said seed value and a clock value from said clock to 

7 produce said first OTP; and 

8 said decryption mechanism includes, 

9 a second seed value scored in a second non- 
10 volatile memory, 

11 a second clock, and 
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12 a second combinatorial mechanism configured to 

13 combine said second seed value and a second clock value 

14 from said second clock to produce 3aid second OTP. 

1 34. The system according zo Claim 33 , wherein the 

2 ?KT generation device clock and the decryption 

3 mechanism clock are synchronized. 

1 35. The system according to Claim 29, wherein 

2 said authorization mechanism allows transfer of data 

3 maintained in said private Jcey to any one of 

4 (1) storage 3pace on said host or a connected device , 

5 and (2) another application at said host or connected 

6 device . 

1 36. In a system having multiple users or groups 

2 of users (users) and any number of user accounts, 

3 invocable software programs, and/or other devices 

4 needing secure access/authentication, each of said 

5 accounts, software programs, and/or other devices being 

6 accessible at least one level by any one or more of 

7 said users, said system comprising: 

8 at Least one token for each of said multiple 

9 users, each token configured to generate and transmit 

10 a private key transport (PKT) value containing an 

11 encrypted private key; 

12 at least one host device configured to, 

13 accept a PKT value transmitted from a user's 

14 token, 

15 decrypt the accepted PKT value to derive a private 
IS key associated with the user's token, and 

17 grant access to a file, program, account, or other 

18 device requested by a user of the token, said access 
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19 granted according to authorization associated with the 

20 derived private key. 

1 37. The system according to Claim 36, wherein 

2 each token device comprises : 

3 a one-time password (OTP) generator configured to 

4 produce a password each time the OTP generator is 

5 invoked; 

6 a private key (?K5 storage device configured to 

7 maintain storage of a private key; 

8 a combinatorial device configured to combine said 

9 private key stored in said PK storage device with a 

10 password produced by said OTP generator to produce said 

11 private key transport (PKT} value; and 

12 a transport mechanism configured to at least one 

13 of display and communicate said PKT value; 

14 wherein the private key stored in said PK storage 

15 device of any one token is associated with the user of 
IS said one token. 

1 38. The system according to Claim IS, wherein 

2 each host device comprises: 

3 a one-time password (OTP) generator configured to 

4 produce a password each time the OTP generator is 

5 invoked ; 

6 a private key transport (PKT) reception mechanism 

7 configured to receive PKT value having an encrypted 

8 private key; and 

9 a combinatory device configured to combine said 

10 PKT value with a password generated by . said OTP 

11 generator to derive the private key; 
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12 wherein said derived private key provides access 

13 and/cr authorisation to any of accounts, programs, or 

14 other devices said user is authorized to access. 
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